← Back to Skills Marketplace

Video Crawler

Name: Video Crawler
Author: ly5201314gjx

by ly5201314gjx · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

595

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install video-crawler

Description

Extract videos from Douyin and Twitter by providing platform and URL, outputting the downloaded video file or an error message.

Usage Guidance

This skill appears to do what it says (download Douyin/X videos), but the embedded hard-coded API key in the source is a red flag. Before installing or running it: (1) ask the author why the DASHSCOPE_API_KEY exists and request its removal; (2) do not run it on machines or accounts that hold sensitive credentials; run it in an isolated sandbox/container if you must test; (3) if the key belongs to you or your org, assume it is compromised and rotate/revoke it immediately; (4) consider manually reviewing the code (or having a trusted reviewer do so) for any other hidden endpoints or secrets; and (5) prefer a version from a known, reputable source or one that does not contain embedded secrets.

Capability Analysis

Type: OpenClaw Skill Name: video-crawler Version: 1.0.0 The `video_crawler.py` script is vulnerable to arbitrary file write due to the `output_file` argument being directly used in `open()` and passed to `yt-dlp` without sanitization or path restrictions. An attacker or a compromised agent could specify a sensitive system path (e.g., `/etc/passwd`, `~/.bashrc`) as the output file, leading to file corruption, denial of service, or potential privilege escalation. Additionally, an unused API key (`DASHSCOPE_API_KEY`) is hardcoded in `video_crawler.py`, which is a bad security practice, though not directly exploitable in this version. There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, nor any prompt injection attempts in `SKILL.md`.

Capability Assessment

ℹ Purpose & Capability

Name/description, the SKILL.md, and the code align: the script uses Playwright + requests to fetch Douyin videos and yt-dlp to fetch Twitter/X videos. The declared dependencies in the README (playwright, requests, yt-dlp) are appropriate for the stated functionality. However, the code includes a hard-coded DASHSCOPE_API_KEY constant (looks like an sk-... secret) that has no role in the stated purpose — this is unexpected and unexplained.

ℹ Instruction Scope

SKILL.md gives clear, limited runtime instructions (install dependencies, run python3 video_crawler.py <platform> <url> [output]). The instructions do not ask the agent to read unrelated files or environment state. The implementation performs network requests and writes temporary files in /tmp (expected for downloading). The only scope discrepancy is that SKILL.md does not mention any API key or external service that would justify the embedded secret.

ℹ Install Mechanism

This is an instruction-only skill (no registry install spec). The README recommends pip install of third-party packages and running 'playwright install chromium' — normal for this functionality but note that pip package installation and Playwright's browser install will download and execute code from upstream package indexes/CDNs. That is expected but carries the usual supply-chain risk.

⚠ Credentials

The skill declares no required environment variables or credentials, yet the Python source contains a hard-coded constant named DASHSCOPE_API_KEY with a value that looks like an API secret (sk-...). Embedding such a secret in code is a mismatch with the declared requirements and is a sensitive risk (exposed credential or backdoor). The key is not used anywhere in the file, which suggests it may be leftover, accidentally committed, or a hidden/unneeded back channel — none of which are good signs.

✓ Persistence & Privilege

The skill does not request persistent installation hooks, does not set always: true, and does not modify other skills or system-wide agent settings. It runs as an on-demand script and writes downloaded files to /tmp — within expected privilege for its purpose.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install video-crawler
After installation, invoke the skill by name or use /video-crawler
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of Video Crawler. - Supports downloading videos from Douyin and Twitter via command line. - Easy installation instructions using pip and playwright. - Outputs either the saved file path on success or an error message on failure. - Notes on video size and potential platform-specific download times included.

Metadata

Slug video-crawler

Version 1.0.0

License —

All-time Installs 7

Active Installs 7

Total Versions 1

Frequently Asked Questions

What is Video Crawler?

Extract videos from Douyin and Twitter by providing platform and URL, outputting the downloaded video file or an error message. It is an AI Agent Skill for Claude Code / OpenClaw, with 595 downloads so far.

How do I install Video Crawler?

Run "/install video-crawler" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Video Crawler free?

Yes, Video Crawler is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Video Crawler support?

Video Crawler is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Video Crawler?

It is built and maintained by ly5201314gjx (@ly5201314gjx); the current version is v1.0.0.

More Skills